Mitm fails with SEC_ERROR_REUSED_ISSUER_AND_SERIAL

[richp10]

I had a working application performing mitm proxy.

I upgraded Go from 1.10 to 1.12 along with move to go modules. As such, I am not 100% sure I have correctly identified whether the issue is with Goproxy, GO or another dependency. I have tried latest and slightly older version of Goproxy and I tried Go 1.11 and so far have not found a version which works.

When I retrieve pages, they initially arrive without error. If I then refresh the page, Firefox reports the error: SEC_ERROR_REUSED_ISSUER_AND_SERIAL - the debug message from Goproxy is WARN: Cannot handshake client www.gstatic.com:443 remote error: tls: bad certificate

If I wait a minute, I can sometimes refresh the page, though some objects get the same error.

I suspect this issue is related to this old issue: https://github.com/elazarl/goproxy/pull/314 and and in another project which uses Goproxy: https://github.com/bettercap/bettercap/issues/514

Or more current - is this maybe the cause? https://github.com/elazarl/goproxy/issues/297

If there is no obvious answer, I will try and build the absolute minimum project which replicates the issue reliably.

[elazarl]

I think we understand the issue now. This is because Go now takes more data than it needs from the random source.

We're thinking of a solution now.

On Wed, May 8, 2019 at 1:45 PM richp10 notifications@github.com wrote:

I had a working application performing mitm proxy.

I upgraded Go from 1.10 to 1.12 along with move to go modules. As such, I am not 100% sure I have correctly identified whether the issue is with Goproxy, GO or another dependency. I have tried latest and slightly older version of Goproxy and I tried Go 1.11 and so far have not found a version which works.

When I retrieve pages, they initially arrive without error. If I then refresh the page, Firefox reports the error: SEC_ERROR_REUSED_ISSUER_AND_SERIAL - the debug message from Goproxy is WARN: Cannot handshake client www.gstatic.com:443 remote error: tls: bad certificate

If I wait a minute, I can sometimes refresh the page, though some objects get the same error.

I suspect this issue is related to this old issue: #314 https://github.com/elazarl/goproxy/pull/314 and and in another project which uses Goproxy: bettercap/bettercap#514 https://github.com/bettercap/bettercap/issues/514

Or more current - is this maybe the cause? #297 https://github.com/elazarl/goproxy/issues/297

If there is no obvious answer, I will try and build the absolute minimum project which replicates the issue reliably.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/elazarl/goproxy/issues/341, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB7RIUBOB3FC7S23VGA5F3PUKVOBANCNFSM4HLQRMXA .

[richp10]

I have found a fix for this. Let me know if you want this as a PR though it is very simple so you could just take from here. The solution is to replace use of crypto/rand

The edit is to signer.go

import gitlab.com/NebulousLabs/fastrand

Replace block of code from ~line 47 with

hash := make([]byte, 20)
fastrand.Read(hash)
serial := new(big.Int)
serial.SetBytes(hash)

I am unqualified to comment on the cryptographic implications but this is working perfectly well for me and I no longer get the SEC_ERROR_REUSED_ISSUER_AND_SERIAL error.

[elazarl]

I want to understand why does this work before using it. It should have the same problem of reading excessive bytes on purpose by the keygen utils.

On Tue, May 21, 2019 at 5:49 PM richp10 notifications@github.com wrote:

I have found a fix for this. Let me know if you want this as a PR though it is very simple so you could just take from here. The solution is to replace use of crypto/rand

The edit is to signer.go

import gitlab.com/NebulousLabs/fastrand

Replace block of code from ~line 47 with

hash := make([]byte, 20) fastrand.Read(hash) serial := new(big.Int) serial.SetBytes(hash)

I am unqualified to comment on the cryptographic implications but this is working perfectly well for me and I no longer get the SEC_ERROR_REUSED_ISSUER_AND_SERIAL error.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/elazarl/goproxy/issues/341?email_source=notifications&email_token=AAB7RIVQ7J2Z2QPOYQOFYTLPWQDW3A5CNFSM4HLQRMXKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV4FCFA#issuecomment-494424340, or mute the thread https://github.com/notifications/unsubscribe-auth/AAB7RIT75DHZWDK572BLA2DPWQDW3ANCNFSM4HLQRMXA .

[hamstah]

Hi, Any progress on this issue? Thanks